Patrick Gray Principal Security Strategist DATA SECURITY CHALLENGES IN THE ALL TOO PUBLIC AND NOT SO PRIVATE SECTORS

Transcription

1 Patrick Gray Principal Security Strategist DATA SECURITY CHALLENGES IN THE ALL TOO PUBLIC AND NOT SO PRIVATE SECTORS

2 I want you to take home four points Understand Educate Collaborate Prepare

3 It s a great to be here today, but uh, do you know where your data is right now? It s all about data, your data The confidentiality The integrity The availability

4 It s hard to protect data when we really don t even know where it is! So, where is your data today? In the cloud On any device Any place Any time of day or night When aren t we working anymore? When do we call it a day?

5 Cisco SIO to Go Great App

6 Today, it s about mobility In the past few years we shifted our lives to the PC and the Internet Now, it s all about being mobile A PC in your pocket Our mobile work force is growing and expanding

7 Where? Where does work happen?

8 It happens wherever we are! No longer does business take place solely behind network walls The critical work is happening increasingly on social networks, on handheld devices, in the field, and at local cafes

9 Diminishing Border The traditional IT perimeter, with clearly identifiable boundaries, has diminished In its place, a network with limitless potential is rising One where agencies, school, teachers, businesses, students and employees demand access to information whenever and wherever they need it

10 New Considerations It is information technology s role to ensure that the appropriate people, using the correct devices, are accessing the proper resources while having a highly secure yet positive user experience within your networks

11 A blurring of activities In addition, it is common for workers to blend business and personal communications on these social networks, further blurring the network perimeter

12 I just have to check Just last month, 57 million Americans visited social networking sites from a work computer Checking your Facebook account has become the default Water Cooler It's the most commonly visited website at the workplace, twice as popular as Google and three times as popular as Yahoo

13 The keypad is mightier than the sword

14 Cisco on Facebook

15 Cisco on Twitter

16 Cisco on be

17 This is viral Overall, 54 percent of Americans said they keep in touch via social networking websites such as Facebook and LinkedIn

18 It s no longer just close relationships Employees are going places they ve never gone before and are touching technology daily That which they are touching is touching your networks as well

19 That being said There are things we really need to be aware of The bad guys know what we re doing, where we re going and want to make the trip a wee bit more difficult

20 With Web 2.0 A new breed of malware is evolving Google Mashups, RSS feeds, search, all of these can be misused by hackers to distribute malware, attack Web surfers and communicate with botnets

21 Risk it's everywhere And no one knows that better than IT security professionals Disgruntled employees, students, fired employees, clueless employees who succumb to social engineering, passwords left on Post-it notes, wideopen instant messaging and increasingly powerful hacker tools in the hands of teenagers, Web Mobs and Organized Crime targeting Social Media sites

22 Objective? The key objective, of course, is to recognize risk, safeguard your reputation and not reveal sensitive or confidential information that may prove quite harmful to the school system, teachers or students

23 Feel better now? It is estimated that 55,000 new viruses, worms, spyware and other threats hit the Internet daily Congress and the Executive Branch get about 1.8 billion cyber attacks each month

24 Malware Historically, malware has plagued , hidden in malicious attachments While that s still happening, more malware developers are putting their efforts into malicious websites 1 in every 1,000 web pages is infected with malicious drive-by downloadable software

25 Constant Mutation The goal in developing malware is not to simply infect as many systems as possible but to specifically steal usage information and other data from compromised systems Use of polymorphic code that constantly mutates

26 Mobil Malware Few mobile users realize that their smart phones are actual computers, and contain lots of sensitive data ranging from passwords, to data found in work s

27 Mobil Malware Yet cell phones have seen a dramatic rise in "smishing," where attackers send SMS messages with a link attached, urging a user to check out a website, picture or a game When clicked, the link downloads malware on the phone and hackers can steal any information residing on your phone

28 Jeez! What else??? Wardriving lock down those wireless access points at work and at home Spam is huge! Don t become a victim And the phishing is so elegant and is targeting banks as well as retail stores looking for your login credentials

29 Two biggest vectors for Malware Web-based

30 The Human Firewall an invaluable tool A good human firewall employee is one who filters good security practices and rejects any others much like a network firewall only allows authorized traffic and rejects any other The only way to build a good human firewall is to raise employee s awareness; to teach them good habits, to make them recognize bad practices and change them into good practices Your cyber security is only as good as the people who manage it and those who use it

31 So Patrick, why do we really need that Human Firewall?

32 Because, Friend has become a verb Social media users believe there is protection in being part of a community of people they know Criminals are happy to prove this notion wrong

33 Causation The threats and security issues that come with social media aren t usually caused by vulnerabilities in software More commonly, these threats originate from individuals who place an unwarranted amount of transitive trust in the safety of these communities

34 Remember On social sites Your privacy is history They don't have your best interests in mind Social engineering attacks are getting more targeted

35 Trust? Users will trust something or someone because a user they know has also expressed trust in that person or subject We trust because we are curious and curiosity

36 Okay to trust but please verify So, have fun! But monitor Be a bit more vigilant And manage appropriately

37 But what does all this mean? I am just a user and am not an engineer or a technician or a programmer or a geek! I m just sitting at my desk, talking to friends and all sorts of people How in the world am I threatening our network???

38 2 Reasons You probably do not understand policies, procedures, best practices and standards If you do understand them, they are violated because there are no consequences the policies are not enforced Who, me?

39 Education is Critical Few executives grasp the case for investing in safeguards against hackers, malware, and the like Education starts at the top and works its way down the food chain throughout the entire business Before any employee puts their fingers on the keyboard they must understand that it is not their computer

40 The Seven Deadly Sins of Network Security 1. Not measuring risk 2. Thinking compliance equals security 3. Overlooking the people 4. Lax patching procedures 5. Lax logging, monitoring 6. Spurning the K.I.S.S. 7. Too much access for too many

41 The Hackers Disgruntled Insiders Clueless employees Foreign Governments Terror organizations The Opposing Team

42 Biggest Players in the Global Black Market Russia China Brazil Israel U.S.

43 Krews HangUp Team CNHonker Russian Business Network Rock Phish 76Service MAAS Hoff is Thirsty

44 Top 8 Perceived Threats System penetration Sabotage of data Theft of proprietary information Denial of service Viruses and Worms Unauthorized insider access Laptop theft Insider abuse of the Internet

45 System Penetration It is an unfortunate reality that you will suffer a breach of security at some point To bypass security, an attacker only has to find one vulnerable system within the entire network But to guarantee security, you have to make sure that 100 percent of your systems are invulnerable percent of the time

46 Data Leakage: How many instances in 2011? ,678,619 records exposed How were you impacted?

47 Not good But Patrick! It won t happen to us!

48 Whether you get hacked depends Do you assume the posture of, It can t happen here. Do you hear, We haven t heard of any worm outbreaks and all seems quiet. Why upgrade those devices? We have no budget. We re just hanging out in the Rockies! They re only going after the US Government. Then my question is, Can you really afford to give up data today?

49 You can t afford to give up data, so be prepared and alert Every man has a plan, until he gets hit!

50 So, what are they really after? Business data Customer data Confidential data Your personal data Your paycheck Your friends Your family

51 You are the last line of Defense! Step up! Understand Educate Collaborate Prepare

52 Thank You!